That might not have worked since lxsudo itself is just a symlink to lxqt-sudo.
Instructions:
sudo unlink /usr/bin/pkexec
sudo rm /usr/bin/pkexec
sudoedit /usr/bin/pkexec
contents of wrapper /usr/bin/pkexec:
#!/bin/bash
/usr/bin/lxqt-sudo "$@"
Save.
Make executable.
sudo chmod +x /usr/bin/pkexec
Try.
@Patrick OK I have tried the above.
It does make ZuluCryppt, Synaptic, and KDE Partition Manager (after you add pkexec to the .desktop Exec= command line) work.
However, mounting a vbox-added virtual hard drive in Thunar still doesnât work. (only my very insecure .policy hack makes it work.)
So those commands arenât a full fix - yet.
Happy to keep trying more instructions you provide.
Correcting my previous post.
Wrong:
Edited, fixed:
I guess you had that right already?
I am surprised. No, I didnât suppose editing .desktop Exec= files would be required. It looked plausible to me that replacing pkexec with lxqt-sudo should fix all applications which use Exec= pkexec (already default, no user modification) something or within their wrapper script.
@Patrick No, my .desktop mod only has to apply to KDE Partition Manager. (Iâve needed to do it ever since moving to XFCE from KDE Whonix. To me it is superior to / easier to use than GParted, even though it comes from KDE.) I just mentioned that detail to be more complete. Also, for what itâs worth, your previous instructions were incompatible with my own fix for Thunar disk mounting (UDisks2 .policy file).
Iâll have to try your corrected instructions another time soon, will report back.
I am also experiencing issues starting Zulucrypt (the only application so far for me) with the error relating to pkexec. I applied the (edited) fix posted above, and the application starts, but exits with âunknown error status 255â when I try to mount a volume (in a file) previously created and opened using Zulucrypt in Whonix before the problem manifested. It might not be related (though it is curious timing if not), but wanted to convey my experience. Thanks for working on a solution.
@Patrick thanks for the updated instructions.
Results:
ZuluCrypt launches, and I think @amoretpaxâs problem is probably unrelated to this pkexec problem.
Synaptic fully works! Can install packages via it.
KDE Partition Manager fully works (with my mod to add pkexec in the .desktop)!
Mounting an external drive (vbox VDI) in Thunar: This still doesnât work. Click on the drive in Thunar devices list, nothing happens.
So this still isnât a Whonix-wide fix to the current broken pkexec.
Are you sure you enabled thunar-volman? Itâs disabled by default.
Which change specifically by security-misc breaks pkexec? I need to find out to be able to report a bug against pkexec.
I donât think itâs because of security-misc but anon-base-files as it locks the root account.
https://github.com/Whonix/anon-base-files/blob/master/debian/anon-base-files.postinst#L122
Not the cause.
pkexec does not mind the root password.
proc-hidepid breaks pkexec.
That doesnât make sense. pkexec is setuid-root. It runs as the root user so hidepid=2 wonât affect it.
Disabling proc-hidepid.service doesnât fix the issue either.
I donât have an explanation but
sudo systemctl mask proc-hidepid
and reboot
fixed pkexec issues for me. Reliably. Reproduced many times on and off.
Disabling proc-hidepid.service actually does work for me. It didnât before for some reason (probably because I still had the /sys restrictions enabled).
Hardening - Debian Wiki talks about polkit dropping privileges and needing an exception although there isnât a polkitd user.
I only managed to fix pkexec by allowing the user user unrestricted access to /proc. This means polkitd drops privileges to the current running user instead of any special polkit user. We should make a bug report and try to make them bring back the polkitd user.
You mean this?
gvfs-backends and gvfs-fuse packages, restarted, then ticked âEnable Volume Managementâ to apparently fix that:
ButâŚstill doesnât work. I click on my drive under Devices in Thunar, nothing happens. In my main Whonix, my own insecure hacky fix continues to work.
Hope that helps. The above newer posts sound promising.
Two options to solve this.
The second option is currently being tested by me.
The wrapper could use some review. See:
For now only in developers repository which I donât recommend for users/testers.
Hello. I read the comment in this thread that my specific issue with Zulucrypt throwing an error are probably unrelated to the subject of this thread.
That said, I wanted to offer some anecdotal details from my experience since the last time I posted a comment on this thread.
If it would be better to open a new thread about this, I will gladly do so.
Steps in this process:
(1) Everything is working properly in my instance of Whonix.
(2) Update/upgrade Whonix to Debian 10/Buster base as instructed.
(3) After reboot, I first got the error regarding âpkexecâ, and found this thread. (The only app I used that this affected was Zulucrypt.)
(4) Applied the posted/possible workaround, and was able to start Zulucrypt but not able to open an encrypted volume that had worked fine before upgrade/update to Debian 10/Buster base. Thatâs the error I had posted about previously that might be unrelated to the âpkexecâ error.
Since then:
(5) I opened the original instance of Whonix VMâs (from which this instance was cloned back in July). I went through the exact steps of updating/upgrading as above and duplicated every one of the steps with exactly the same results.
(6) I installed âgnome-disk-utilityâ which has the ability to attach and open LUKS-encrypted images/volumes. It attached okay, but upon attempting to decrypt it, it throws this error upon failure:
âerror unlocking /dev/loop0: The function âbd_crytpo_luks_open_blobâ called but not implemented1 (udisks-error-quark; 0)â
Conclusion: I will gladly post this as a new thread if advisable; it is possible that the error involving âpkexecâ and this problem of decrypting a previously created LUKS volume are separate issues. The certain overlap is that both manifestations began occurring at the time of updating/upgrading the existing Whonix instance to the Debian 10/Buster base.
Thank you.
Amoretpax
Or 3:
polkitd user so we can add it to a proc groupRedirecting pkexec to lxqt-sudo seems like an incredibly hacky way to do this.
if ! mount | grep â/procâ | grep âhidepid=2â
Why grep for /proc then for hidepid=2? hidepid=2 is only a mount option for /proc. It canât be set elsewhere so grepping for /proc is redundant.
Please try if this workaround solves your issue:
If not solved: new thread
If solved: no new thread